So let's take a step back for a minute. I remember having a discussion three years ago with some consultants who were telling me at the time that, "2004 is the year of identity management!" When it didn't materialize, 2005 become the new "year of IdM". And then 2006.I'm still waiting.But there are indications on the horizon that this year, finally, may actually be the year that IdM takes off and becomes more widely adopted. I really attribute this shift to two factors: Regulation: the explosion in government and industry regulation that require organizations to maintain better control over their enterprises - and then be able to prove that those controls are in place - has been a massive driver that is leading to more widespread adoption of IdM solutions. Technology: implementing an enterprise IdM solution has never been an easy undertaking, but key vendors in the identity management space, like Novell, Sun, Entrust, IBM, Microsoft and Oracle, are making it less painful. Add to this the functionality that allows integration of access control systems for both digital and physical assets, and the business case starts to have some great benefits. Companies like HID and Imprivata offer solutions in this space. So in the case of identity management, technology and regulation have partnered to finally drive adoption of a security solution that most of us believe should have been adopted years ago. While I suppose that is a good thing I do believe it points out a basic flaw in how businesses manage enterprise risk. When you allow government or industry regulation to define your organization's risk management strategy, you are allowing them to define what risk is for your business rather than undertaking a proper review of threats and their impacts that would translate into an accurate risk assessment. In other words: you become more reactive instead of proactive.I don't kid myself and I hope you understanding where I am coming form here. I understand how difficult it is to fight for the resources you need to secure your enterprise, and in a perfect world businesses would base their security investment on a thorough risk assessment. While regulations offer an easier way to get the resources necessary, that often results in sidestepping a thorough evaluation, which I'd argue should be done anyway and actually should be the primary methodology for determining your organization's risk profile. Maybe it's an issue of communication: it's easier to tell corporate management that "we have to do something" as opposed to "we should do something." Do you agree? Please let me know.